Viewing Real-time Search Results

Real-time Search results display matching events that occur from the current time onwards.

The search results are displayed in two panes:

  • Bottom pane displays the results in tabular form following the definitions in the Display Fields.
    Note that aggregations are not permitted in real-time search. Since results are coming in continuously, the results scroll and the latest events are displayed at the top.
  • Top pane displays the counts of matched events over time.  

The following actions are possible while viewing Real-time Search results:

  • To pause the search, click Pause.
  • To restart the real-time search from the point you left off, click Resume after Pause.
  • To fast forward to the current time, click Fast forward.
  • To clear the result table, click Clear.
  • To restart the search all over again from the current time, click Stop and then Run.

In real-time search, only Event Type (like a unique ID) is displayed. Enable Show Event Type while running a real-time query. Note that Event Names are not displayed.

Raw events often take many lines to display in a search result. By default, Raw events are truncated and shown in one line so that user can see many search results in one page. To see the full raw event, click the Wrap Raw Event check-box.

Viewing Parsed Raw Events

Hover over a Raw Event Log cell and click Show Details. The display shows how FortiSIEM parses the event.

Adding an Attribute to the Filter Criteria in the Search

Complete these steps to add an attribute to the filter criteria in the search:

  1. Check the Filter column.
  2. Click OK.
    The Attribute is added to the filter condition.
  3. Re-run the query to get the new results

Adding an Attribute to the Search Display

Complete these steps to add an attribute to the search display:

  1. Check the Display column.
  2. Click OK.

    The Attribute is added to the display condition.

  3. Re-run the query to get the new results.

Zooming-in on a Specific Time Window

If you see an unusual pattern (for example, a spike) in the trend chart and want to drill down without entering the exact time range, do one of the following:

  • Click the bar – a new search tab is created by duplicating the original search and adding the right time window as seen by hovering on the bar
  • Press and hold Shift key and drag the mouse over a time window – this modifies the time window in the current tab.

    Click Apply & Run to see the results.

  • When you run the Real-time search, a pop-up will appear asking if you want to stop the Real-time search before proceeding to the Historical Search.